The latest Patch Tuesday update from Microsoft included several critical security fixes. Unfortunately, as Microsoft has now confirmed, it also borked some things. If you haven’t applied that August 13 update and are running on Windows 10, Windows 8.1 or Windows 7, you may want to read this before you do.
What’s the problem with the latest Patch Tuesday Windows update?
Microsoft has confirmed a bunch of “known issues” with the August 13 Windows update. Some, such as the “black screen during first logon after installing updates” issue, have hit users after previous updates. That can be filed in the annoying but ultimately not much to worry about folder: it only impacts a “small number” of users and only the first time they logon after the update.
Anything that impacts millions of users is a far more serious thing. And so it is that Microsoft has confirmed that this Patch Tuesday update does just that.
“After installing this update, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an “invalid procedure call error,” Microsoft has stated.
Don’t assume that VB6 isn’t something that concerns you as a non-programmer Windows user. It almost certainly does if you, or your organization, use Microsoft Office. VBA apps along with VB6 still power Office scripts, macros and processes that are essential for many businesses.
Which versions of Windows are impacted?
The issue has been found to affect users of the following Windows versions:
Windows 7 and Windows Server 2008 R2, Windows 8.1 and Windows Server 2012 R2, Windows 10 version 1507, Windows 10 version 1607 and Windows Server 2016, Windows 10 version 1703, Windows 10 version 1709, Windows 10 version 1803, Windows 10 version 1809 and Windows Server 2019, Windows 10 version 1903 and Windows Server 1903.
What is Microsoft doing about it?
Good question. Kay Ewbank, writing at i-programmer reported that “The Visual Studio blog has been remarkably quiet about the problem, posting an item about template search in Visual Studio, but nothing about how Microsoft has caused grief for a large majority of Visual Basic developers.”
Microsoft has said that it “is working on a resolution,” and estimates the fix will be available “in the coming days.” As an optional update, users who find their Windows experience broken by the Patch Tuesday update will have to manually “check for updates” to apply it. The irony that, for many, the update causing the grief was installed automatically is not lost on me.
Why is this a security problem?
I’m a security guy. I have been a security guy since before the Internet was even a thing for most people. I encourage everyone to install the latest Windows Update as soon as possible to mitigate against critical security vulnerabilities such as the new wormable remote code execution duo that led to Microsoft urging customers to patch as quickly as possible. Or how about the related BlueKeep threat that led to the NSA issuing an update now warning to Windows users?
However, it is becoming increasingly difficult to wear my security guy hat in the face of updates that freeze Windows or crash your PC. Worse yet, some Windows updates have even broken security features.
Please don’t think that I’m a Microsoft hater as that is very far from the truth. I am a Windows 10 user myself, and I appreciate the complexity of maintaining such a behemoth of code. However, that doesn’t stop me from thinking that Microsoft can surely do better.
Why was this latest issue with Visual Basic not exposed during testing before the update was rolled out to everyone? An organization the size of Microsoft, with the resources it has to hand, should have quality testing processes that are market-leading.
This is a security problem because it makes people think twice before applying updates that are essential from that security perspective. I’m not even talking about the organizations that will implement some reasoned risk analysis that balances the threat exposure against the business continuity. Instead, I’m talking about the hundreds of millions of ordinary Windows users who will see the updates breaking stuff and switch them off where they can.
These are the very same users who are most at risk from the vulnerabilities that get fixed in those updates. These are the users for whom security isn’t front and center when using their computers; getting the task at hand, whatever it may be, done is all that matters.